RE: Increase seen in port probes since Tuesday afternoon
From: James C Slora Jr (Jim.Slora_at_phra.com)
Date: 12/30/04
- Previous message: M. Shirk: "RE: Increase seen in port probes since Tuesday afternoon"
- In reply to: BahdKo: "Increase seen in port probes since Tuesday afternoon"
- Next in thread: Michael: "RE: Increase seen in port probes since Tuesday afternoon"
- Reply: Michael: "RE: Increase seen in port probes since Tuesday afternoon"
- Reply: Jeff Kell: "Re: Increase seen in port probes since Tuesday afternoon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'BahdKo'" <bahdko@erols.com>, <incidents@securityfocus.com> Date: Thu, 30 Dec 2004 14:44:51 -0500
BahdKo wrote Thursday, December 30, 2004 04:23
> Since Tuesday afternoon EST I've seen a dramatic increase in
> the number of machines probing my network on ports 2745,
> 1025, 3127, 6129, and usually 80. Each probe involves the
> machine sending three packets to each port.
Yes from time to time. The port pattern is typical of many botnets, many of
which will focus multiple drones against a particular IP space for a while.
Packet captures might reveal whether there is anything new or interesting
about any of the individual probes. The three packets would probably be
standard Syn retries. Again a packet capture would show whether or not this
is the case. If a destination device is listening on any of those ports, a
packet capture might also give an indication about whether there is some new
payload.
- Previous message: M. Shirk: "RE: Increase seen in port probes since Tuesday afternoon"
- In reply to: BahdKo: "Increase seen in port probes since Tuesday afternoon"
- Next in thread: Michael: "RE: Increase seen in port probes since Tuesday afternoon"
- Reply: Michael: "RE: Increase seen in port probes since Tuesday afternoon"
- Reply: Jeff Kell: "Re: Increase seen in port probes since Tuesday afternoon"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
